From: domg472@gmail.com (Dominick Grift) Date: Wed, 18 Aug 2010 15:38:01 +0200 Subject: [refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117 In-Reply-To: References: , <1282132367.4122.8.camel@flek> Message-ID: <4C6BE239.3010901@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/18/2010 03:24 PM, TaurusHarry wrote: > > Hi Paul, > >> Subject: Re: Problem about audit-test-2090 + refpolicy-2.20091117 >> From: paul.moore at hp.com >> To: harrytaurus2002 at hotmail.com >> CC: selinux at tycho.nsa.gov; refpolicy at oss1.tresys.com >> Date: Wed, 18 Aug 2010 07:52:47 -0400 >> >> On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote: >>> Hi SELinux exports, >>> >>> When I am trying to build the lspp_test.pp provided by >>> audit-test-2090/utils/selinux-policy/lspp_test.* along with the >>> refpolicy-20091117 source code, I copied lspp_test.* files to >>> policy/modules/apps/ and then modified policy/modules.conf to declare >>> "lspp_test = module", but I run into below error message ... >> >> Is there any reason why you copied the lspp_test policy files to the >> refpolicy sources and tried to build it there? I'm not completely sure >> that this is the cause of your problem but I can say for certain that >> this is not a tested procedure for building the lspp_test module. >> >> The normal procedure is to build the lspp_test policy module separately >> from the system's main SELinux policy, e.g. build and install the normal >> system's SELinux policy (refpolicy-20091117 in your case) and after you >> have verified that everything is working correctly you can change to the >> directory audit-test-*/utils/selinux-policy directory and use the >> Makefile located their to build the lspp_test module. >> > > Many many thanks for your response! > > Well, after I installed SELinux header properly then I did could enter audit-test/utils/selinux-policy/ successfully built lspp_test.pp there, however, I run into below error messages when trying to insert it: > > [root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp > libsepol.expand_terule_helper: conflicting TE rule for (lspp_test_generic_t, sepgsql_db_t:db_table): old was user_sepgsql_table_t, new is sepgsql_table_t > libsepol.expand_module: Error during expand > libsemanage.semanage_expand_sandbox: Expand module failed > semodule: Failed! > [root/secadm_r/s0 at qemu-host selinux-policy]# Its a bug in policy somehwere i believe. Where exactly is kind of hard to determine. Do you have any custom modules loaded? In particular custom modules that call either: userdom_unpriv_user_template or postgresql_role. The issue is that theres a conflict. some module uses (old) sepgsql_table_t, whilst another uses (new) user_sepgsql_table_t So my guess is that you have a custom user domain policy loaded that was not updated when you updatet refpolicy. Maybe even lspp_test.pp is it. if that is true , then you would need to build a new lspp_test.pp from lspp_test.te. > Very honestly speaking I am clueless about such error message, so I tried to compile lspp_test.pp along with refpolicy source code just to see if such problem could simply disappear. Do you have some comments or suggestions about it? > > > > Moreover, the audit-test-2090 seems to be a little "old" than the refpolicy-2.20091117, for example, the lspp_test.te calls mls_file_read_up() rather than the expected mls_file_read_all_levels(), do you know if I could find some latest version of audit-test package or some latest version of the lspp_test.* files? > > > > Thank you very much! > > > > Best regards, > > Harry > >> -- >> paul moore >> linux @ hp >> >> >> >> -- >> This message was distributed to subscribers of the selinux mailing list. >> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with >> the words "unsubscribe selinux" without quotes as the message. > > > > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100818/5adda1f4/attachment.bin